[SOLVED] HELP! Seem to be a spammer!?
-
Hi Derelict,
Created LAN rules to block all the mail traffic (25/465/587) except for the mailserver itself. Are the rules beneath created correctly? What is the best way to check if the rules are working from a host that isn't allowed to use port 25 etc.
Did run the packet capture for 1000 packets. First run is port 25. I have saved the .cap file and opened it with Wireshark. I see a lot here, but honestly I am not able to see what is a threat or not. The same with the States filter. Not really sure what to look for.
Yes the ISP supports outbound mail through a smarthost (smtp.ziggo.nl)
Hope this helps a bit. For now I have internet again. I have disabled the Exchange send connector till I have found the problem. This was the fourth time the ISP disconnected me.
Kind regards,
Herman -
Just enable logging on that block rule then check the logs. That should tell you who is trying to send email to the outside.
-
Hi Derelict let me try that. So I asume that the rules are configured correctly?
Regards,
Herman -
Remember that if someone is spoofing one of your email addresses they can cause you issues as well. I haven't read through the thread completely yet so I may be speaking out of the context of given information.
mxtoolbox.com is a good resource to get to know..
Your DNS provider may have an SPF wizard. You might want to consider using it to build your SPF to disallow other servers from sending mail as you. Its not a perfect system but it does help.
Good Luck!
ps. make sure you don't have an open relay.
-
@derelict To be sure. I see the logs in System Logging, Dynamic View?
-
I would just filter the logs for blocks to destination port 25.
-
Hello chpalmer,
Thanks for this tip. I am familiar with MX Toolbox. I am not really sure my domain provider has such a tool. Doesn’t MX Toolbox not have that tool? I have access to my DNS host file. I see no spf record in there. For the record, my Exchange Server is configured to send mail via a smart host from the ISP (Ziggo). I do not use MX records to send outbound (Ziggo, doesn’t allow that).
Any suggestions wil be welcome,
Regards,
Herman -
@derelict I have enabled the logging on the LAN Block rule and the allow rule for the Exchange server. But I don't see any logging regarding the rules. Not in normal view nor in Dynamic View. Am I looking at the right place here.
Thanks guys for you patience!
regards,
Herman -
Sounds like. Are you sure it is still ongoing?
-
@derelict The Source IP Address should be my WAN IP?
What is the ^and the $ meaning in the Destination port? -
had you setup pfsense notifications? If so maybe something was going wrong on pfsense and spamming the notifications - or trying to notify you which were failing. Since you should of gotten them.
Or did you try and setup mailreport package? These would be the 2 ways that pfsense would/could be trying atleast to send mail. Which your isp might not like - especially if something when wrong or was misconfigured and sending out lots of them.
That is regex format looking for the port in question.
-
@herman said in HELP! Seem to be a spammer!?:
@derelict The Source IP Address should be my WAN IP?
What is the ^and the $ meaning in the Destination port?No. You are looking for the inside address so you can find out who on the inside is doing it, so you want to capture on the inside interface (LAN) for all addresses. Unless, like @johnpoz said above, it's actually the firewall doing the emailing.
The fields there are regular expressions.
^25$
will only match 25.25
might match 2579, 8254, 9925, 25341, etc. -
I have notifications configured. I dont think the firewall is the boogeyman because I setup the internal IP address (10.0.0.x) of the mailserver and mailing to an internal mailbox. Even now the outbound sendconnetor is temporary disabled, the test message from the pfSense arrives in the correct mailbox.
Regards Herman
-
-
Well if your not seeing it logged anywhere, then maybe the ISP is full of shit.. Not the first time that sort of thing every happened. Did your IP change recently - maybe it was the guy with your IP before you, etc.
If your logging all outbound on 25, and not seeing anything logged.. Then its being sent by you - or you have an active state that is still in use? Did you check your state table? flush it after you create your block/logging rules? You have it logging on all possible inbound ports? You have any road warriors coming in via vpn that could be sending spam through vpn connection?
edit: contoso.com - that is one of the domains MS uses in its examples ;)
https://en.wikipedia.org/wiki/ContosoSo your exchange is sending spam? If your letting exchange outbound, and your isp is saying your spamming - then yeah more than likely is your exchange. If you have all kinds of crap like that in its queue what else sort of nonsense is in there? And being sent or tried to being sent, etc.
If you can not just check your exchange log for what it has sent, how about just sniff on you wan for outbound 25... And look to see what kind of stuff is being sent or attempted to be sent.. email is sent in the clear so its very easy to view all the info in email.
Do you accept inbound email into your exchange? If so could be spammers bouncing off you, or using reflection spam.. PM whats your public IP - will check to see if can bounce spam off you, ie open relay.
-
@johnpoz I would really love to pm you, if you teach me how to? God I feel so stupid right now...
-
"Failure, the best teacher it is!"
-
hehe..
Dude look at my profile - you figured out how to follow me..
Click the 3 dots and then start conversation - or just answer the one I started with you.
-
Hi Guys,
It seems that I have found the problem. It looked like the was a Health Mailbox corrupt. Found that because the mails always showed up with the email address inboundproxy@contose.com. The details can be seen in the screenshot earlier. After I finished the migration from Exchange 2013 to 2016 the problem went away. Let have the fingers crossed that this was THE problem?!
I would like to thank all of you guys helping me and giving me a tremendous learning curve. Without your knowledge and tips I wouldn’t have learned so much about pfSense already. We probably will see each other in another topic as I have so many more questions.
Thanks guys, @chpalmer @Derelict @Grimson @johnpoz
Regards,
Herman